A fresh malware offensive aimed at cryptocurrency users use crypto trading apps, found researchers at Volexity. Under the bogus name BloxHolder, the North Korean APT has been disseminating bogus cryptocurrency apps laced with AppleJeus malware, to get initial access to networks and cryptocurrency wallets. The malware is spread using malicious Microsoft Office documents.
Volexity’s analysis of this campaign uncovered a live cryptocurrency-themed website with contents stolen from another legitimate website. Further technical analysis of the deployed AppleJeus malware uncovered a new variation of DLL side-loading that Volexity has not seen previously documented as in the wild,” said the research report.
Since at least 2018, the APT organisation has used the AppleJeus virus to steal cryptocurrency from its victims. The new Lazarus-inspired campaign began in June 2022 and continued at least through October 2022, says the Volexity report.
Lazarus Group, AppleJeus, and previous campaigns
In April 2022, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Treasury Department had issued a joint alert on cryptocurrency thefts and tactics used the Lazarus Group, a.k.a. APT38, BlueNoroff, Stardust Chollima etc..
“The Lazarus Group used AppleJeus trojanized cryptocurrency applications targeting individuals and companies—including cryptocurrency exchanges and financial services companies—through the dissemination of cryptocurrency trading applications that were modified to include malware that facilitates theft of cryptocurrency,” said the joint advisory.
“As of April 2022, North Korea’s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency. These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.
Latest malware campaign
North Korea has used AppleJeus malware posing as cryptocurrency trading platforms since at least 2018. In most instances, the malicious application—seen on both Windows and Mac operating systems—appears to be from a legitimate cryptocurrency trading company, thus fooling individuals into downloading it as a third-party application from a website that seems legitimate,” said a CISA analysis of the malware.
Volexity began observing the latest campaign in June 2022 and discovered that the APT group was using a domain name bloxholder[.]com to create websites to foster automated cryptocurrency trading. The domain is a clone of the HaasOnline automated bitcoin trading platform. The threat actor uses this fake website to download a Windows MSI installer disguised as the BloxHolder software, which was used to install AppleJeus malware with the QTBitcoinTrader app.
Moreover, the BloxHolder application is just another instance of AppleJeus malware but is being used with an open-source bitcoin trading tool QTBitcoinTrader. According to the CISA report, the APT group has also used the same application in its previous attacks. In October 2022, the group used AppleJeus malware via a Microsoft Office document named ‘OKX Binance & Huobi VIP fee comparision.xls. These two files were used to target victims using Windows computers, where the document contained a macro split into two parts — used to decode a base64 blob.